Detailed Interface

Events

Generated at the end of reassembled TCP connections. The TCP reassembler
raised the event once for each endpoint of a connection when it finished
reassembling the corresponding side of the communication.

This event has quite low-level semantics and can potentially be expensive
to generate. It should only be used if one really needs the specific
information passed into the handler via the pkt argument. If not,
handling one of the other connection_* events is typically the
better approach.

Generated for an unsuccessful connection attempt. This event is raised when
an originator unsuccessfully attempted to establish a connection.
“Unsuccessful” is defined as at least tcp_attempt_delay seconds
having elapsed since the originator first sent a connection establishment
packet to the destination without seeing a reply.

Generated when seeing a SYN-ACK packet from the responder in a TCP
handshake. An associated SYN packet was not seen from the originator
side if its state is not set to TCP_ESTABLISHED.
The final ACK of the handshake in response to SYN-ACK may
or may not occur later, one way to tell is to check the history field of
connection to see if the originator sent an ACK, indicated by
‘A’ in the history string.

Generated when one endpoint of a TCP connection attempted to gracefully close
the connection, but the other endpoint is in the TCP_INACTIVE state. This can
happen due to split routing, in which Bro only sees one side of a connection.

Generated when a previously inactive endpoint attempts to close a TCP
connection via a normal FIN handshake or an abort RST sequence. When the
endpoint sent one of these packets, Bro waits
tcp_partial_close_delay prior to generating the event, to give
the other endpoint a chance to close the connection normally.

Generated for a new active TCP connection if Bro did not see the initial
handshake. This event is raised when Bro has observed traffic from each
endpoint, but the activity did not begin with the usual connection
establishment.

The payload received by this event is the same that is also passed into
application-layer protocol analyzers internally. Subsequent invocations of
this event for the same connection receive non-overlapping in-order chunks
of its TCP payload stream. It is however undefined what size each chunk
has; while Bro passes the data on as soon as possible, specifics depend on
network-level effects such as latency, acknowledgements, reordering, etc.

Generated for every TCP packet. This is a very low-level and expensive event
that should be avoided when at all possible. It’s usually infeasible to
handle when processing even medium volumes of traffic in real-time. It’s
slightly better than new_packet because it affects only TCP, but
not much. That said, if you work from a trace and want to do some
packet-level analysis, it may come in handy.

C:

The connection the packet is part of.

Is_orig:

True if the packet was sent by the connection’s originator.

Flags:

A string with the packet’s TCP flags. In the string, each character
corresponds to one set flag, as follows: S -> SYN; F -> FIN;
R -> RST; A -> ACK; P -> PUSH.

Seq:

The packet’s relative TCP sequence number.

Ack:

If the ACK flag is set for the packet, the packet’s relative ACK
number, else zero.

Len:

The length of the TCP payload, as specified in the packet header.

Payload:

The raw TCP payload. Note that this may be shorter than len if
the packet was not fully captured.